CVE-2024-53858 - GitHub CLI Security Vulnerability - Leaking Authentication Tokens

GitHub's official command-line tool, the gh cli, has recently been discovered to have a security vulnerability - CVE-2024-53858. This vulnerability is related to leaking authentication tokens when cloning repositories containing git submodules hosted outside GitHub.com and ghe.com. In this post, we will highlight the details of this vulnerability, including the affected GitHub CLI commands, the changes made in version 2.63., and recommendations for users to mitigate the risks associated with this issue.

Affected GitHub CLI Commands

The security vulnerability affects several gh commands that clone a repository with submodules from non-GitHub hosts. These include:

gh pr checkout

These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the credential.helper configuration variable for any encountered host.

Environment Variables and Token Sourcing

Before version 2.63., hosts other than GitHub.com and ghe.com were treated as GitHub Enterprise Server hosts. The CLI would source tokens from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage:

GITHUB_TOKEN - when the CODESPACES environment variable is set

As a result, git would send authentication tokens when cloning submodules.

Changes in Version 2.63.

In version 2.63., the GitHub CLI now limits the hosts for which gh acts as a credential helper to GitHub.com and ghe.com. This mitigates the risk of leaking authentication tokens to other hosts. Additionally, the GITHUB_TOKEN will only be used for GitHub.com and ghe.com, further reducing the risk.

Recommendations for Users

Users are strongly advised to upgrade to version 2.63. to mitigate the risk of this security vulnerability. You can find the latest release and installation instructions here:

- GitHub CLI 2.63. Release

Additionally, users should revoke authentication tokens used with the GitHub CLI and review their personal security logs and any relevant audit logs for actions associated with their account or enterprise. To do this, follow these links:

- Revoking a Personal Access Token
- Reviewing your personal security log

Conclusion

CVE-2024-53858 highlights a significant security vulnerability in the GitHub CLI. By upgrading to version 2.63. and revoking authentication tokens used with the CLI, users can mitigate the risks associated with this issue. As always, it's crucial to stay up-to-date on security patches and releases to protect your account and sensitive information.

Timeline

Published on: 11/27/2024 22:15:05 UTC